Viruses, whether digital or biological, come in all shapes and sizes. But the best defense from them stems from a unified and persistent response.
Take the Australian COVID-19 response. Federally, through the JobKeeper program, $90 billion was pledged to up to 3.5 million Australians who received $1500 per fortnight at its peak. However, state governments also filled in the breach as well. In February, Tasmania pledged $160 million in COVID-19 support to its struggling businesses, with grants ranging from $1000-10,000.
In December, South Australia gave its businesses $40 million, with up to $20-22,000 pledged for businesses in the hard-hit sectors of tourism, gym/fitness and hospitality. Even the territories received relief, with payroll tax waivers for all businesses that experienced a 40% reduction in turnover, as well as one-off grants of $3000 for employing business and a 30% reduction on their regulated utility bills. This ongoing support, from both the federal and state governments, made the difference during such unpredictable times.
As Australia continues to effectively manage COVID-19, it should also acknowledge another persistent issue that threatens the wellbeing of our small to medium-sized enterprises (SMEs), the backbone of our economy. Of our businesses, 96% have fewer than 200 employees.
These enterprises are largely unprepared and under-resourced for today’s sophisticated cyber threat, state actors and well-organised criminal gangs. This issue comes in the form of crippling ransomware, credential stealers, targeted system hacks and cyber espionage. In 2017, Petya, a ransomware attack, took out Ukraine’s power grid, airport, as well as many of its banks.
In fact, ever since Russia’s annexation of the Crimean Peninsula in 2014, Ukraine has continually faced down cyberthreats, including two blackouts that hit its capital Kyiv within months of each other in 2015-16.
Necessity has shown Ukraine and others that to protect its citizenry and its economy, they need the cyber equivalent of the Iron Dome, the Israeli defense system which protects its mainland from missile bombardment.
As a matter of fact, Israel’s National Cyber Directorate is embarking on creating and mandating cyber security standards for its telecommunications businesses to create what they themselves call “a kind of ‘Iron Dome’ from cyber security attacks”, says Communications Minister Yoaz Hendel. As our recent threat report indicated, with more than 400 new threats each minute, standards that unify all players on the attack surface are critical.
But while high-level defenses for utilities and government are essential, Australia must consider an “Iron Dome” for SMEs that recognise that it is unfair to expect such enterprises to be able to adequately protect themselves without government support. This kind of cyber “Iron Dome” should involve a layered cybersecurity approach that encompasses leading edge threat prevention, detection and response technologies coupled with elite security analysts and threat hunters.
This is both a national and economic security issue. SMEs must be given their own defensive resources, so that they don’t become the weakest link in the chain. In 2021, an Australian Institute of Criminology report estimated a $3.5 billion economic impact for Australia. The vast majority of the costs, $1.9 billion worth, were suffered by Australian citizens, whether targeted specifically or otherwise ensnared in massive data leaks. And while the proportion of businesses reporting major security breaches had shrunk to 8% pre-COVID, the move towards remote work in its aftermath has shifted the game towards poorly-secured IT home setups, where multiple family members may be using the same computer, and sensitive data may be accessed outside of managed devices, such as personal phones.
This means creating a COVID-style support system for under-resourced enterprises crawling their way out of the pandemic into brand-new hybrid work realities. Again, they shouldn’t be expected to do this alone. Australian Strategic Policy Institute International Cyber Policy Centre head Fergus Hanson has recommended creating tax incentives for larger businesses attempting to implement cybersecurity standards, rather than onerous fines. Managed detection and response (MDR), and extended detection and response (XDR), are critical components, as is supporting managed security service providers (MSSPs) that can extend enterprises in-house resources with the kind of capabilities that would normally be out-of-reach.
A cyber “Iron Dome” that doesn’t explicitly seek to bolster the resources of MSPs will be inadequate in the face of our cybersecurity challenge. We feel these incentives should also be extended to most enterprises, whether to help them extend endpoint protection to their hybrid workforce (or the nation’s freelancers, another often-ignored segment of the attack surface) or to cover premium payments for cyber insurance, in the event of a data breach. For in the world of cybersecurity, the question is not whether you’ll have a breach — it’s when.
Before his defeat, Scott Morrison announced a $9 billion cybersecurity and intelligence package for the nation’s defense. It would be good to see the new Labor Government to extend this protection towards the nation’s small businesses, which have contributed 32% of the nation’s GDP. We’ve already done much to keep them safe from the worst effects of COVID. The Iron Dome we are now constructing around our own digital infrastructure should extend fully and equally to them as well.
